I was very interested to read a report that came out Tuesday in the online publication TechRepublic. That report relayed the results of a survey by RiskIQ, a San Francisco-based digital threat management solutions provider.
As Alison DeNisco Rayome noted in her article, entitled “Security nightmares: These 3 threats keep CISOs up at night,” “The barrage of cyberattacks that CISOs must diffuse on a daily basis show no signs of slowing: 89% of all information security leaders report concerns over the rise of digital threats their organizations are experiencing across web, social, and mobile channels, according to a new report from RiskIQ. According to the 1,691 US and UK CISOs surveyed for the report, the top threats keeping CISOs up at night are as follows: 1. Phishing and malware attacks on employees and customers 2. Brand impersonation, abuse, and reputational damage. 3. Information breaches.”
Further, in its announcement on Tuesday, RiskIQ had stated this: “RiskIQ, the leader in digital threat management, today announced the release of its 2018 CISO Survey, revealing that 89.1 percent of all information security leaders are concerned about the rise of digital threats they are experiencing across web, social and mobile channels. Some 1,691 U.S. and U.K information security leaders across multiple verticals, including enterprise, consulting, government and education, provided insights into their cyber risk concerns and plans for 2018. Overall,” the RiskIQ announcement noted, “the survey revealed a coming “perfect storm”, where the problem of staff shortages collides with escalating cybercrime, leaving organizations ill-equipped to manage and respond to cyber risks and threats that are accelerating in an era of digital transformation, pervasive connections and increasingly sophisticated attack strategies sponsored by nation-states and rogue actors.” And, it added, issues around the Spectre and Meltdown phenomena dominated the news in early 2018, and after a year of major security breach announcements and settlements, including Equifax, Yahoo and Anthem, concern over breaches should hardly be surprising.
Among the key findings of the RiskIQ survey of CISOs in the United States and United Kingdom, across all industries:
> 67 percent of cybersecurity leaders do not have sufficient staff to handle the daily barrage of cyber alerts they receive
> 60 percent expect digital threats to grow as their organizations increase online engagement with customers
> The top three digital threats information security leaders fear are phishing and malware attacks on employees and customers; brand impersonation, abuse, and reputational damage; and information breaches
> The top risk organizations face today is a lack of experienced staff to monitor and help protect networks from cybercrime
> Currently, 37 percent of firms have engaged a managed security services provider (MSSP) to help monitor and manage cyber threats
In releasing his company’s survey, CEO Lou Manousos, said, “The RiskIQ 2018 CISO Survey illuminates a growing industry-wide problem, which is that cybercrime is growing at scale, and enterprises are already experiencing critical staff shortages. That’s one reason 1 in 3 organizations have engaged with an MSSP to combat cyber risks and threats, and we expect that number to grow as the competition for top security talent gets far more intense.”
We’re not alone in healthcare
So, what to make of all these results? Well, let’s see… First of all, it’s amazing how much commonality there is between and among different industries, when it comes to the cyberthreats and cybersecurity issues facing CISOs and other IT leaders, across different industries.
We really aren’t alone, in healthcare. And that’s both “good” and “bad.” What I mean by that is that, on a certain level, it’s very helpful and good to know that healthcare IT leaders are not alone in this struggle; they are not uniquely subject to the vast range of cybersecurity threats out there in the world. Indeed, virtually every business industry is facing the same broad outlines. Thus, there are CISOs in every industry that has information systems (which is very industry nowadays).
The numbers alone are chilling: the fact that “67 percent of cybersecurity leaders do not have sufficient staff to handle the daily barrage of cyber alerts they receive”; and the fact that “60 percent expect digital threats to grow as their organizations increase online engagement with customers,” are deeply concerning.
What’s more, I found this particularly fascinating: “The top three digital threats information security leaders fear are phishing and malware attacks on employees and customers; brand impersonation, abuse, and reputational damage; and information breaches.” Now, here’s where things get interesting, because while healthcare organizations face the same broad cyberthreats as other industries, it is also true that healthcare is particularly vulnerable in certain respects. That’s because, while phishing attacks can impact any type of business organization, patient care organizations are faced with the special vulnerability around protected health information (PHI), which is at the core of the data and information that they maintain and work with.
Certainly, of course, the breaching of any core personal information—Social Security numbers, credit card numbers, financial information—is a dangerous, and very bad thing. But as those who have been paying attention, know, the value to cybercriminals of personal health/medical information, is many times that of the value of, say, information gleaned from credit cards. And that means that the healthcare industry will continue to be more aggressively targeted, for certain types of information, than other industries.
What’s more, healthcare remains behind other industries in terms of gearing up effectively to meet these challenges.
Fortunately, innovative CISOs in U.S. healthcare are helping to lead their colleagues forward towards successful approaches to these issues. As Sriram (Sri) Bharadwaj, CISO at UC-Irvine Health in Irvine, California, told Managing Editor Rajiv Leventhal in an interview in December, “The cyber threat landscape has definitely changed. When I look at just the UCs (University of California organizations), or any of the hospitals in our vicinity, they have changed purely for two reasons. First, we have started investing in technologies that help address some of the typical threats that we have seen in our environment. Now, have they been mitigated or remediated? I don’t think so; the threats have morphed into something else now that really needs to be addressed. But if you take a technology that you can use to trap issues at the perimeter rather than at the desktop or endpoint level, now your risk or threat mechanism has shifted to the perimeter rather than to your internal environment. That doesn’t mean the risk has gone away, though.”
What’s more, Bharadwaj said, “Second, the insider threats have not gone away; they are becoming more sophisticated in that people are allowing insiders to come through by making an error or mistake where they didn’t know that the threat existed. So you need more intelligent tools to actually understand the threat and then take measures to mitigate it.” And, in that regard, he said, in response to a question about the strategies that he and his colleagues have been implementing at UC Irvine Health, “The biggest strategy we have implemented is a culture of security awareness. That’s the biggest thing we have done for quite some time now. The level of engagement we have from leadership has shifted from ‘It’s a security issue’ to ‘I need to inform someone so that this doesn’t impact my organization.’ That shift has helped us mitigate some of the risks we see at the insider threat level.”
And, as was discussed in San Diego on February 2, we’re collectively learning from such global attacks as “WannaCry” and “PETYA/NotPETYA.” At our Healthcare Informatics Health IT Summit in San Diego two weeks ago, UC Irvine Health’s Bharadwaj led an excellent panel discussion around these issues.
In that discussion, Stan Banash, CISO of Children’s Hospital of Orange County (Orange, Calif.), said, “The key questions are, are you managing your risk? Do you understand your attack surfaces? What vectors are you vulnerable to? When this started out, no one knew what was going on; it was crazy. If you had one of those maps in your security center, it was all lit up, and it looked like ‘War Games.’ Initially, we thought it was via email, and we were chasing emails, but when we found out it was SMB vulnerability, we were able to chase that down. We were hit, but there was no successful attack on us. But understanding what was in your environment—it never became more important than on that day. And those MRI machines running on Windows XP—those machines are million-dollar pieces of equipment; it’s hard to justify new purchases to the board. I would say we were lucky; I’d like to say we manage things well, but we did get lucky.”
What’s more, CISOs and their colleagues in patient care organizations are connecting more and more with law enforcement officials, in order to move forward to meet these challenges. Asked on the panel about connections with law enforcement, Christian Abou Jaoude, director of enterprise architecture and Scripps Health (San Diego), said, “We do have a direct contact with law enforcement; we also have a protocol that we follow that’s been well-established. We followed those procedures, but the same thing happened to us: there wasn’t much information available during the first couple of days” following the WannaCry attack. “So I went out and read as much as I could about it, read articles to see whether there was something different about this. So we enacted that process, sent out notifications, and then a few days later, everyone learned what had happened.”
In the end, the reality is that the broad set of cybersecurity challenges facing patient care organizations—and all business organizations in all countries—will continue forward, simply because, unfortunately, there will always be cyber-criminals eager to wreak havoc on the information systems of all business organizations. The good news? CISOs and their colleagues in healthcare, like the CISOs and their colleagues in other industries, are learning and adapting. They’ll always be catching up with the bad guys, but one can only hope that, a few years from now, in response to questions in surveys like that sponsored by RiskIQ and reported on by publications like TechRepublic, most IT security leaders will be able to answer more confidently about their capabilities and preparedness in this critical area.